JP2689998B2 - Device for cryptographic operation - Google Patents

Description

DETAILED DESCRIPTION OF THE INVENTION

[0001]

FIELD OF THE INVENTION The present invention relates generally to data processing systems and methods, and more particularly to cryptographic systems and methods used in data processing systems for improved security.

[0002]

2. Description of the Related Art US Patent Application No. 55502 (filing date March 1987, later US Patent No. 4,850,
No. 017) and No. 231114 (filing date 19
August 11, 1988, later US Patent No. 4,941, 176
No. 4014486 (filed on Aug. 30, 1989, later U.S. Pat. No. 4,918,728), and No. 398300 (filed Aug. 2, 1989).
No. 398299 (filed on August 2, 1989)
4th, later became U.S. Pat. Nos. 4,924,515) and 344165 (filing date April 27, 1989).
Japan and later became US Pat. No. 5,103,478),
No. 443418 (filed Nov. 29, 1989,
US Pat. Nos. 4,993,069) and 506319 (filed April 9, 1990, later became US Pat. No. 5,007,089) A cryptographic architecture for verifying that the key management function required for a cryptographic key in a processing system is permitted by the originator of the key is shown, and a key usage verification method based on a control vector check is shown. A control vector is a data structure that contains one or more fields of predetermined value that collectively describe the intended use of the associated cryptographic key . This control vector is specified by the key originator when the key is generated. The specification of the above application further states that the specified use is enforced by the key usage verification mechanism of this cryptographic architecture.
It discloses a method of binding control vectors to key values in a consistent manner to ensure that

The control vector check is a key usage verification configured such that the control vector is sent to a control vector check unit in a physically secure cryptographic device with an operation code indicating the required key management function to be performed. Is the law. The control vector checking unit uses a set of checking rules to check and compare the contents of various fields within each sent control vector. If the control vector satisfies the check rule associated with the required key management function, the control vector check unit sends a grant signal to the instruction processor in the cryptographic facility that can complete the required key management function. If one or more control vectors do not satisfy these checking rules, a disallow signal is issued and instruction execution is aborted.

The specification of the above-mentioned application is based on a control vector check rule, that is, a static rule hard-wired or hard-coded for each executable instruction of a cryptographic device. Methods for creating parametric rules that enable augmentation of various test rules and programmable test rules that enable safe and dynamic loading of test criteria into a control vector test unit from a store external to a cryptographic device Is shown.

It will be apparent to those skilled in the art that all key usage verification methods are based on defining the usage attributes defined by the key originator in the control vector associated with the cryptographic key. Collectively, these key usage verification methods are known as control vector (CV) enforcement. A common property of all of this CV enforcement is the concept of CV checking, that is, the application of a set of checking rules to various predetermined fields and values of one or more sets of control vectors sent by the user to the cryptographic device. .

In the CV inspection method, the user does not have the C
You have to manage V. CV management is a general term that refers to control vector definition, distribution and storage. For example, in the CV enforcement CV inspection method, when a key is given to a cryptographic device for processing a key management request, C
The user of the cryptographic device must maintain a CV copy of the originator of the key, since V must be accompanied by that key. (The CV is needed both to authenticate the requested use of the key and to properly recover the plaintext form of the key.) CV verification also requires the user to encrypt the key. The full contents of each CV must be defined prior to the occurrence or processing of the. The user must also distribute the CV with the cryptographic key as it is issued to other systems.

Therefore, the object of the present invention is to provide a CV outside the cryptographic device.
It is to provide a safe method for control vector enforcement that reduces or eliminates the need for management.

Another object of the present invention is to eliminate the storage means of the CV outside the encryption device.

Another object of the invention is to provide a secure method for control vector enforcement that allows the cryptographic key to be verified and recovered when the value of the explicit control vector associated with the key is unknown. That is.

Another object of the present invention is to provide a security method for control vector enforcement capable of internally extracting a control vector from input information entering a cryptographic device.

Another object of the present invention is to provide a security method for control vector enforcement in which a control vector is selected from a storage means in the cryptographic device based on an index taken out of the cryptographic device.

[0012]

The above objective is accomplished by the secure cryptographic operation of the present invention which employs several modes of control vector enforcement. The present invention discloses various methods of generating, selecting or retrieving a control vector based on the data contained in a cryptographic service request provided to a cryptographic device. Since the generation, extraction or selection of the control vector is performed within the security boundary of the cryptographic device, the control vector enforcement based on it is performed with high security.

It will be apparent to those skilled in the art that many benefits can be obtained by transferring some or all of the CV management capabilities to the cryptographic device itself. The present invention provides different CV enforcements that allow CVs to be generated or obtained within the cryptographic device based on the input information provided to the cryptographic device. Some of these advantages include:

-Improvement of reliability (integrity of CV maintained by cryptographic device) -Improvement of usability (simpler instruction interface) -Reduction of storage mechanism (reduction of CV stored outside cryptographic device) The invention also provides a CV enforcement mode that allows CV management capabilities to be shared by users and cryptographic devices. This mode is characterized in that different parts of the CV can be specified by the user for usage attributes with a range of maximum allowed values. However, the fixed part of the CV is specified by the cryptographic device based on the requested action and other input information about the usage attribute with a range limited to a set of expected values.

Another mode of CV enforcement according to the present invention is particularly applicable to cryptographic implementations where the defined key type and set of key usages are well defined. The use of those modes in such systems reduces the complexity of operation and checking of the CV enforcement mechanism within the cryptographic device.

[0016]

DETAILED DESCRIPTION FIG. 1 shows a cryptographic system A100 that includes one or more application programs (APPL) 8, cryptographic device access program (CFAP) 6, and cryptographic device (CF) 4. APPL8 is CFAP
Application programming interface from 6 (AP
I) Issue a cryptographic service request via the input channel 10 of 18. On the other hand, the CFAP 6 is an input channel 12 of the device access program interface (FAPI) 20.
Call one or more instructions of CF4 via. The CF4 executes the called instructions and outputs the processing result to the FAPI.
Return to CFAP 6 via 20 output channels 14. CFAP 6 then returns the result of the set of instruction calls, or some function of the result, to APPL 8 via output channel 16 of API 18. Details of the individual elements within the cryptographic system and the interfaces between the elements are given in the specification of said application. However, CFA
Some explanation of the functionality of the P6, CF4 and FAPI 20 interfaces is helpful in understanding the present invention.

CF4 is an input channel 1 of FAPI20.
2 supports a group of one or more cryptographic instructions that can be called externally via a group of input information provided to CF4. This input information may include a cryptographic service request in the form of an operation code, clear and / or cryptographic key parameters, plaintext data or ciphertext data, and so on. The operation code, that is, the OP code, selects a cryptographic command to be performed by CF4 from this cryptographic command group. The other part of the input information is the control or data parameter used in the cryptographic process identified by the OP code. This input information may be in the form of a structured control block with predetermined fields and values identifying the OP code and data parameters, or the input information required by CF4 to execute the instruction selected by the cryptographic service request. May be sent as individual data items via the input channel 12 until all have been received.

The CF4 uses the input information to send the FAPI20
The input information of the input channel 12 is converted into a group of output information, and this output information is returned to the output channel of the FAPI 20. Execution of the instructions occurs entirely within the physically secure boundaries of CF4, thus providing high integrity and confidentiality to the input encryption key and data in plaintext and other intermediate results.

As indicated in the specification of said application, CF
4 ensures that each cryptographic key is used to ensure that it matches the usage attribute assigned to it when it occurred. A
Due to the architecture, these usage attributes are synonymous with key encryption keys.
Cannot be combined into one key by combining with the built-in data value
Associated with minutes. When stored outside the boundaries of CF4
To encrypt that key. Key is stored outside the boundary of CF4
Key is encrypted by this key encryption key.
Will be converted. This structured data value is a control vector (C
V), which is the usage attribute defined when the key was generated.
It includes a field group of corresponding predetermined values. CV of the key
Make sure (that is, usage attribute) is processed in CF4
The mechanism used in CF4 to achieve this is CV enforcement.

The specification of the aforementioned US application discloses a method of CV enforcement known as control vector checking. In the control vector check, CF4 uses a fixed, variable or parameterized set of rules stored in CF4 to check the various fields in each CV provided to CF4 as input information blocks. If the contents of the given CV satisfy the check rule associated with the requested cryptographic instruction, CF4 permits the requested cryptographic conversion. If one or more of these CVs do not satisfy the rule, the instruction is aborted. Since each CV is closely attached to its associated key, and that key cannot be recovered in CF4 without identifying the correct CV that generated that key, the CV checking rules are met and the encryption key is Another CV that results in proper internal recovery of
There is no opportunity for trespassers to give to CF4.

The present invention allows the value of the control vector associated with the key parameter to be calculated internally by CF4 based on the contents of the input information passed in each instruction call rather than being given to CF4 by CFAP6. The present invention proposes another mode of CV enforcement. These methods have the advantage of storing some or perhaps all of the CV outside of CF4 and not having to pass FAPI 20. The reason is that CV or a part thereof is taken out inside CF4.

FIG. 2 shows the elements of CF4, and the input information is CF4 via the input channel 12 of the FAPI20.
to go into. FAPI 20 may be a "pass-through" type interface, or may perform the necessary format and type conversion functions to convert this input information into a form acceptable to the internal elements of CF4. Similarly, output information representing the result of processing the cryptographic service request is returned from the CF 4 via the output channel 14 of the FAPI 20. F
The API performs the data format and type conversion functions necessary to convert this output information into an acceptable form for a device call access program (eg CFAP 6 in FIG. 1).

Internally, the CF 4 includes an information selecting means 30, a control vector generating means 32, a key source means 34 and an encryption converting means 36. The information selection means 30 receives input information from the input channel 12. This input information is CF4
Of the instruction repertoire, the operation code (OP code) or the token value for selecting one of the plurality of instructions executed in the cryptographic conversion means 36. In addition, this input information can include one or more of the following:

-Plain text or ciphertext data to be processed-Clear (that is, plaintext) encryption key-Encryption encryption key, that is, key encryption that is a function (for example, exclusive-OR) of the system master key (or other key encryption key) Each plaintext key encrypted by a control vector that defines the encryption key and the type and usage attributes of the encrypted key. Control vector selection parameters. Other process specific parameters.

The information selection means 30 directs the various parameters contained in the input information to other elements of CF4 as required. This parameter selection and orientation can be done only for the OP code, or with the OP code and one given OP.
It is based on other process-specific parameters such as mode selectors that further define processing options in the code.

The control vector generating means 32 generates or takes out the control vector C to be used by the cipher conversion means 36, and processes the cipher key K associated with the vector. The control vector generating means 32 thus performs the relevant method of CV enforcement of the present invention. Means 32 outputs the generated or fetched control vector C to output channel 48 for storage in working register 38. In general, the control vector generating means 32 has a working register 38 as shown in FIG.
An ordered control vector group C to be stored in
A plurality of control vectors in the form of 1, C2, ..., Cn are generated and output.

The key source means 34 generates or obtains the cryptographic key value K to be used by the cryptographic conversion means 36. The key source means 34 receives selected input information including an instruction OP code and other parameters, and outputs a cryptographic key value K via an output channel 40 to be stored in a working register 38 together with its associated control vector C. To do. The output key value K is randomly generated in the key source means 34 or is extracted from the clear or encrypted key parameters in the selected input information entered from the information selection means 30 via the input channel 44. It
The key value K represents a clear or encrypted key. For example, if the key value K is randomly generated, K is defined as a random clear key K'encrypted by a key formed by the exclusive OR of the control vector C and the master key KM. This is K = e * KM. C
Notated as (K '). Where * KM is 128-bit K
Means M (64 bits without *).
Generally, the key source means 34 selects and outputs a plurality of key values in the form of a key group having an order of clear and encryption keys K1, ..., Kn as shown in FIG. Key value K
Each i is associated with one corresponding control vector Ci output by the control vector generating means 32.

FIG. 4 shows the elements of the key source means 34.
The key output selector 56 selects each of the output key values Ki from the set of the input clear or encrypted key values Key 1, ..., Key j included in the selected input information or the output of the random number generator 54. To do. The selection process of each key value Ki is the instruction OP code 50 and the information selection means 30 shown in FIG.
Based on other parameters 52 extracted from the selected input information entering the input channel 44 from. For example, C
F4 must generate a randomly generated 64-bit key K, encrypted with a key encryption key formed by exclusive-ORing a 128-bit key encryption key KK with a 128-bit control vector C3. Cryptographic service request such as "must have"
Let's consider the keyset (GKS) generation at X). KK is e * KM. C1 (KKL), e
* KM. It is stored in encrypted form as C2 (KKR), where KKL is the left 64 bits of KK and KKR is the right 64 bits of it. The input information of this cryptographic service request includes an OP code, a mode, an encrypted key KK and other information necessary for reconstructing the control vectors C1, C2, C3. Selected input information to the key source means 34 on the input channel 44 is the OP code, mode and key parameter e * KM. C1 (KKL) and e * K
M. Includes C2 (KKR) only. Key output selector 56
Defines its output selection criteria using OP code 50 and mode 52 as follows: K1 is the first of random number generator 54
Set to the 64-bit output K of the input key; K2 is the left 64-bit of the input key encryption key e * KM. Set C1 (KKL); K3 is the input key Encryption key right 64 bits e * K
M. Set to C2 (KKR).

Returning to FIG. 3, the control vector generating means 3
2 outputs, that is, control vectors C1, ..., With order
The group of Cn is the output of the key source means in the group of working registers 38, ie the n ordered key values K.
1, ..., Kn. The contents of the working register 38 are sent to the cipher conversion device 36 by the data channel 46. The information selection means 30 sends the OP code and other selected input information to the encryption conversion means 36 via the data channel 42.

The cipher conversion means 36 uses the OP code, the selected input information and the contents of the working register 38 to perform the cipher service related to the OP code. The result of the cryptographic processing is output via the output channel 14 in the form of output information to the cryptographic device calling access program (eg, CFA in FIG. 1).
It is output to P6). These results are also stored in a storage register in CF4 for use in the next instruction call. Other cryptographic instructions in the instruction repertoire of CF4 produce no output, they only change the processing of CF4 (eg, clear crypto device instructions, which are the contents of all working registers in CF4). Clear).

The function of the information selecting means 30 can be incorporated in each of the other main elements, that is, the control vector generating means 32, the key source means 34, or the cipher conversion means 36.

As mentioned above, the control vector generating means 32 performs another method of CV enforcement. In particular, the present invention discloses three different means of CV enforcement (and several variants of each): Internal CV table lookup Internal CV generation Masking or "bit fixed" CV enforcement. The implementation method must select a complete CV or multiple CVs for each requested cryptographic operation. An acceptable set of control vectors for each cryptographic operation must be defined by and under the control of the physical or logical security element of the cryptographic device. Thus, the user of the device has no means to remove the key types and usage restrictions defined by the implementor and the authorized system administrator. FIG. 5 shows the role of the control vector generating means, which selects one or more control vectors from the group of defined CVs based on the selected input information from the cryptographic service request to CF4. In the example of FIG. 5, IMPORTER (right half) CV is selected from the group. This CV type may be selected for re-encipher to master key (RTMK) operation or other operation to process an encrypted key-encrypted receiver key. The defined control vector group shown in FIG. 5 is not broad, and their values represent a general example of each CV type. This "general" refers to an example of a control vector that has the control attributes that allow maximum functionality for a given key type and use and impose minimal constraints. Thus, this defined set of control vectors can be expanded to include further examples of each CV type where functionality is further constrained or given some user definable fields. In FIG. 6, the CV required to process the cryptographic service request is stored in the control vector generating means 32.
One method of CV enforcement to be selected from the table of FIG. In this method, the "table indexing method", the control vector generating means 32 receives the selected input information from the information selecting means 30 via the input channel 45. This selected input information includes an OP code 50 that identifies the particular operation (or instruction) to be performed by the cryptographic device. OP code 50
And other input parameters 52 are provided to the CV table index selection function 65. The CV table index selection function 65 is a scheduled table of control vectors, that is, C
Calculate the index 66 pointing to an input or ordered group of inputs in the V-table 68. Selected CV
Is output by the control vector generating means 32 for storage in the working register 38. The CV table index selection function 65 can use a mathematical hash function to convert the input OP code 50 and other parameters 52 into a selection index 66. Alternatively, the index selection function 65 uses an algorithm (such as a group of "CASE" statements) to calculate the index 66.
Can be used. Alternatively, the select function element may be outside CF4 and CFAP 6 computes index 66 and provides it to CF4 via the input information, where it is simply verified by the CV table index select function. In this case, the verification process may be a simple algorithm that compares the selected index against a set of valid indexes for a given OP code. The table lookup method is characterized by the advantage that for most instructions the control vector does not pass through the interface of FAPI 20 and therefore the CV need not be stored or managed by the user of CF4. One variation of the CV enforcement table look-up method in which the instruction storage means of the cryptographic conversion means 36 includes a set of applicable control vectors for each defined instruction in the instruction repertoire of the cryptographic device. Shown in.

FIG. 7 shows another CV enforcement method, that is, a generation method. In this generating method, the control vector generating means 32 receives the selected input information entered from the information selecting means 30 via the input channel 45. This selected input information includes an OP code 50 that identifies the particular operation (ie, instruction) to be performed by the cryptographic device. The OP code 50 and other input parameters 52 are given to the service request conversion means 70. This means 70 is O
A group of CVs using the P-code 50 and other parameters 52
Generation parameters 72 are generated and these parameters 72 are provided to the CV generation function 74. Function 74 uses these generated parameters to construct a CV or ordered CV group to be provided to working register 38 via output channel 84.

The service request conversion means 70 can convert the OP code 50 and other input parameters 52 into CV generation parameters 72 using a table or algorithm means. The parameter 72 can consist of a high level, parameterized list of CV field names and corresponding values. For example:

USAGE = E, D, MG, MV EXPORT = NO KEY-FORM = 64 LEFT KEY-PART = NO CV generation function 74 interprets such a list to identify each field value keyword pair with a particular CV field position. To a binary code based on a predetermined meaning associated with each defined pair.

Alternatively, the service request converting means 70 may simply construct the skeleton of the CV based on the OP code 50 and the other input parameters 52 given in the cryptographic service request. The service request conversion means 70 can thus initialize a limited subset of CV fields whose values depend on the input parameters. The remaining fields of the CV skeleton that have no dependency on the input parameters are initialized by the CV generation function 74. Such independent CV fields are reserved fields (initialized to zero), fields with fixed position and value independent of CV type (anti-variant bit, etc.),
And other implementation constants (such as extension fields).

The parameter-dependent function of the service request conversion means 70 and the parameter-independent function of the CV generation function 74 can be combined into one element in the control vector generation means 32. In addition, the input parameters 52 are operation mode parameters (eg ENCI to use the DATA COMPAT-INTERNAL key instead of the default DATA PRIVACY key).
It may include a parameter MODE = 'COMPAT') that limits the PHER request. The input parameters 52 can also include the skeleton of the CV or the complete CV, from which the control vector generation means 32 takes the associated CV for storage in the working register 38 for the next cipher conversion in the cipher conversion means 36. You can put it out.

8 and 9 show the control vector generating means 3
An example of a CV enforcement generation method performed in 2 is shown. In this example, OP code 50 includes an ENCIPHER service request and the other input parameter 52 includes a COMPAT mode limit. The purpose of the control vector generating means 32 is to use the encrypted form e * KM. A control vector C used by the cryptographic conversion means 36 to internally recover the DATA COMPAT-INTERNAL key K provided to CF4 as C (K).
Is to occur. When this is recovered, the cryptographic conversion means 36 uses this recovered key K to ENCIPHER some blocks of plaintext data given in the cryptographic service request issued to CF4. The control vector generating means 32 uses the OP code 50 and other mode parameters 5
2 is given to the service request conversion means 70,
DATA COMPAT-INTERNAL Constructs a skeleton of control vector C '. The service request conversion means 70 uses the OP code 50.
And mode 52 to the CASE statement group to algorithmically select a set of executable statements to apply to the requested cryptographic transformation. In this case, the next statement is selected and executed.

CASE opcode OF / * Set up OP code specific field of control vector * / 'ENCIPHER': / * specific field ENCIPHER * / CASE mode OF'COMPAT ': Set Bits 08..14 = B'0000000' / * CVType = Data Compat Key * / Set Bits 18..21 = B'1111 '/ * Usage = E, D, MG, MV * / Set Bit 22 = B'0' / * Reserved Bit * / Set Bit 37 = B The expression between '0' / * Software Bit = Unspecified * / '/ *' and '* /' is treated as a comment. These comments give the name of the applicable CV field that is changed to the left of the equal sign and the mnemonic value for which the field is being set. The service request conversion means 70 serves to generate fields of the output CVC depending on the input parameters and the CV type (as in this example). The skeletons of CV and C ′ are output from the service request conversion means 70. 8 and 9 show a 64-bit CVC 'as eight hexadecimal bytes ("XX" indicates undefined or unknown).

The skeleton of CVC 'is then given to the control vector generating function 74 of the control vector generating means 32. The control vector generation function 74 uses a fixed CV field generator 76 to set or "fix" the remaining, parameter independent fields of this CV. In this example, these fields consist of some standard reserved fields, some unused software bits, extension bits, etc. Some of these fields are fixed in this implementation (Export
Control and Key Form), which can be considered parameter dependent in other implementations depending on the functional and safety requirements of the user. Output CVC "
Consists of a completely distributed control vector containing the merged output fields of the service request conversion means 70 and the fixed CV field generator 76. The CVC "is adjusted to even parity in the Adjust Even Parity component 80. (It was mentioned above that each byte of the control vector contains a parity bit which must be set to guarantee even parity on a byte-by-byte basis.) General DATA COMPAT IN
The last CVC of the TERNAL CV type C = X'0000
7D0003000000 'is a working register 38
It is output as a control vector C84 to be stored in.

The CV enforcement generation method is characterized in that a control vector is internally calculated from input parameters (OP code, mode: etc.) as in the table look-up method. However, in this generation method, the CV field is dynamically configured by an algorithm, a table, or a combination of both. The input CV is also used as a template to construct additional functionally related CVs. Examples thereof are shown in FIGS. 14 and 15.

FIG. 10 shows another method of CV enforcement, that is, a field fixing method. This method uses a group of algorithms or table driven rules to invalidate specific fields in a group of input CVs, thus ensuring that the CVs used in the process meet a given specification. To support the implementation of user-defined fields, this field fixing method only modifies the fields of the input CV that must be modified to meet the defined specifications. All other fields are passed through unchanged. This method differs from the table look-up method and the generation method, in that the CV is maintained and is given by the user via the FAPI 20 for each cryptographic service request to the CF 4 (CV Checking). Is shown). This method differs from the CV inspection in the following points. That is, rather than checking the contents of the CV field (eg, field XYZ has the value B'101 '), the CV field is forced to include the required contents (field XYZ is independent of previous contents). By setting to B'101 '). The process of forcibly setting the contents of the CV field to a predetermined value in the cryptographic device is called "fixed field" or simply "fixed".

FIG. 10 shows an input control vector 8 having an OP code 50 and five dispersed fields F1, ..., F5.
2 shows a group of selected input information entering the input channel 45 (from the information selection means 30), including 2 and other input parameters 52. Similar to the generation method described above, the field-fixing method is divided into two parts: (1) field fixing based on input parameters, and (2) field fixing independent of input parameters. The fixed field generator A86 receives the input OP code 50, the parameter 52 and the input CV 82 and fixes a group of parameter dependent fields in the input CV. The CV output of the fixed field generator A86 is the fixed field generator B.
88, where some parameter independent CV fields are fixed. Finally, the C88 output of B88 is provided to the Adjust Even Parity element 80 for even parity adjustment. The final control vector C84 consists of several unchanged fields (eg F2 and F5) from the original input CV 82 and a group of fixed fields (eg F1 ', F3', F4 '). CVC8
4 is sent to the working register 38 for the next processing.

11, 12 and 13 show an example of the field fixing method for CV enforcement. FIG. 11 shows an application program A outside the encryption device, for example, as shown in FIG.
PPL8 or encryption device access program CFAP6
The configuration of the input CV Cin 82 by the user is shown. APPL8 or CFAP6 define a group of variable fields in the control vector Cin. In particular, APPL /
CFAP is CV type, Export Control, Key Usage,
And set some CFAP force bits. In this example, the CFAP usage bit (Cin bit 34
37) CFAP makes the user of the key aware of the password before using the associated key in the cryptographic service request. C
The FAP use bit also allows CFAP to use the key associated with this CV only on weekdays. Another possible encoding for CFAP usage bits is to specify "no password required" or "only used Friday". The enforcement of CFAP usage bits is CFAP (if those bits are examined) and CF (if these bits are used in the CV to recover the associated key and ensure the integrity of the key CV association). It is shared. Configured control vector Cin =
X'0003C003C000000 'represents a skeleton of a CV in that the CV is not fully specified and therefore cannot be used with CF4. FIG. 12 shows a control vector generating means 32 for performing the fixed field method of CV enforcement. The user-configured CV Cin is given to CF 4 via CFAP 6 in the cryptographic service request. The control vector generating means 32 receives the OP code'ENCIPHER '50 and the control vector Cin 82 in the input information 45 selected from the cryptographic service request. Input control vector Cin8
2 is sent to the fixed field generator A86, which uses the input OP code 50 to select a group of executable statements that fix the parameter dependent fields of the input CVCin. The following statement is executed by the OP code 50 which makes'ENCIPHER 'equal to the user-defined CV type (bits 08 ... 14 of Cin). CASE opcode OF 'ENCIPHER': / * ENCIPHER-specific fields: * / CASE CV _Type OF / * CV-Type-dependent fields: * / OTHERWISE Set Bits 08… 14 ＝ B'0000000 '/ * Default is Data Compat Key * / Set Bit 18 = B'1 '/ * Usage must include E * / Set Bit 22 = B'0' / * Reserved Bit * / END CASE CV −Type / * other ENCIPHER fields: * / Set Bits 40… 42 ＝ B'000 '/ * Key Form = 64b Key * / Set Bit 44 = B'0' / * Key Part = No * / Set Bits 48 ... 54 = B'0000000 '/ * Reserved Bits * / This "rule" group ENCI with DATA COMPAT INTERNAL
The ENCIPHER usage bit E is set (already set at input Cin) for the PHER operation, ensuring that the key is 64 bits and not the key part. Figure 1 shows the ENCIPHER request.
In the rule of the fixed field generator A86 of 2, the CV type of the input CV Cin is DATA PRIVACY, DATA ANSI.
, Or one of DATA COMPAT-INTERNAL. Thus, the control vector generation means 32 uses the fixed field method to enforce the requirement that ENCIPHER operations be performed only on these three types of keys. Fixed field generator A86
Rules are divided into two parts: (1) CV type dependent rules and (2) non-CV type dependent rules. The latter rule depends only on the input OP code 50 (eg key form, key part, etc.). The fixed field generator A86 sends the modified control vector C'to the fixed field generator B88. C'in this example is the same as the user-defined input CV Cin for the reason DATA COMPAT-
OP code'ENCIPHER 'using INTERNAL key as input
All of the given fixed field specifications for Cin8
This is because 2 is satisfied.

The fixed field generator B88 executes a series of OP code independent fixed rules to set the remaining, undefined fields of the CVC '.
These fields contain a value that is common to all control vectors (eg anti-variant bit positions and values) or control vectors (eg reserved bits and extension bits) in all current implementations. The output of the fixed field generator B88 is the control vector C ″,
This is added to the Adjust Even Parity element 80. The output of this element 80 is the control vector C = X'00003C003F00000 adjusted to even parity.
0 ', which is stored in the working register 38 for subsequent cryptographic processing.

The examples of FIGS. 11 to 13 show the input control vector Cin.
= CV output from X'00003C003000000 '
The conversion to C = X'00003C00F000000 'is shown. CF4 will not recover this key K correctly unless the key K given in the ENCIPHER request is encrypted using the above CVC rather than the CVCin from the user. Thus, the application of the CV enforcement field fixation method is preferably the case where the user provides the actual CVC, whereby the key K associated with it is encrypted. In this case, if C is given unchanged from the control vector generating means 32, then the basic rules of fixed field enforcement for the requested operation are satisfied and the key K is recovered in CF4. The advantage of the fixed field method is that it is based on input parameters while allowing user definable fields.
V is to allow enforcement of selected fields. Another advantage (shown in the examples of FIGS. 11-13) is that the user need only identify a few well-defined fields of the input CV. The rest of the CV structure can be given by the fixed field rule in the control vector generating means 32 of CF4.

FIGS. 14 and 15 show a modification of the CV enforcement generation method in which one control vector C1 is used to form a functionally related control vector C2. In particular, Figures 14 and 15 are 128 bits
IMPORTER key (ie key encryption receiver key) KK
The method for extracting the control vector C2 for the right half 64-bit KK1R from the given control vector C1 associated with the left half 64-bit KK1L is shown. The selected input information entered from the information selecting means 30 (FIG. 2) via the input channel 45 is the service request OP code 50 '.
Includes RTMK 'and other input parameters 52. RTMK
Import form e * KK1. Requests that the key of C3 (K) (ie encrypted by IMPORTER key) be transformed into the operation form e * KM, C4CK (ie encrypted by local master key KM). The 64 bits to the left and right of the IMPORTER key are of the form e * KM. C1 (KK1L) and e * KM. C2
It is given to the instruction of CF4 by (KK1R).

CV C1, C3 and C4 are given to the control vector generating means 32 as a part of other parameters 52, and are inspected in the CV inspection element 90 using the CV inspection CV inspection method. As these values pass the test in CV test element 90, they are placed directly into working register 38, which is stored with their associated keys. (C4 does not have a corresponding input key. C4 is used by the cipher conversion means 36 to encrypt the recovered plaintext key K for output to the requested CFAP 6 via the output channel 14.) In the specification of the application, if the CV inspection is not passed, the operation is aborted. Other options are CV C1, C3, C4
Is also generated and field-fixed to another CV enforcement means 90 from another parameter 52 which is selected in the table index or is an input to the control vector generation means 32. In any case, CVC1 is provided to the right CV generator 92, which converts the left half CVC1 into the corresponding right half CVC2. C1 and C2 and C3 and C4 are sent to their location in working register 38.

FIG. 15 shows the elements of the right CV generator 92 and the processing flow there. The input control vector C1 for the key type IMPORTER (left half) (FIG. 5) is transformed with the keyform bits needed to retrieve the corresponding IMPORTER (right half) CVC2. All bits except C2's keyform bits are the same as C1's.

This variant of the method of generating CV enforcement has the advantage that the number of redundant CVs to be managed by a user outside the cryptographic device is reduced. This method is parameterized with a fixed relationship (or other input parameter 52 to the control vector generating means 32) such that one CV is mapped to an additional CV to be used to satisfy the required cryptographic service. Can be applied to any CV having a relationship.

FIG. 16 shows a modification of the CV enforcement table look-up method in which the instruction storage means 94 of the cipher conversion means 36 includes a group of applicable control vectors for each defined instruction in the instruction repertoire of the cryptographic device. Show. The instruction storage means 94 includes storage means for a group of executable routines, each routine including the code necessary to process all or part of one cryptographic unit instruction. The instruction processor 96 of the cipher conversion means 36 uses the information selection means 30.
The routine code corresponding to the OP code 50 received from (FIG. 2) via the channel 42 is fetched from the instruction storage means 94 and executed. The instruction processor 96 uses the other processing parameters 52 in the selected input information entered via the channel 42 to retrieve the proper executable code.

The instruction storage means 94 includes a group of scheduled control vectors C1, ..., Cn for each cryptographic instruction performed in the cryptographic conversion means 36. Thus, the function of the control vector generation means 32 of FIG. 2 to select one or more control vectors to be used in the processing of the cryptographic service request is performed by the cryptographic conversion means 36. The control vector for each cryptographic instruction is stored in table form in the code block associated with that instruction or is grooved with other such CV tables in a common data block in the instruction storage means 94. In any case, the instruction storage means 9
The four executable instructions include a coded reference to the location of each control vector Ci required to process the requested cryptographic instruction. These coded references are common CVs stored in the instruction storage means 94.
Takes the form of an index into the table, or
It may be in the form of a direct memory address for a CV embedded as a data item in an executable code block that is fetched and processed by instruction processor 96 for a particular OP code 50.

The instruction processor 96 thus uses the OP code 50 to select a group of executable codes and a group of control vectors C1, ..., Cn from the instruction storage means 94.
The instruction processor 96 receives from the working register 38 via the input channel 46 the selected control vector C1,
, Cn for a group of keys K1, ..., Kn corresponding to Cn,
Use V and key to clear or re-encrypt encrypted key back to clear key. The instruction processor 96 also uses a key or cryptographic variable (e.g., system master key KM98) securely stored in clear in the cryptographic conversion means 36. For example, the instruction processor 96 has the instruction storage means 94.
Control vector C1 and master key KM98 extracted from
Using e * KM. Decrypt the data key encrypted in the form of C1 (K). Since the clear key K satisfies the cryptographic instruction requested by the instruction processor, for example, the key K
Is used to encrypt the plaintext data and provide the ciphertext via the channel 14 to the requesting CFAP 6.

This modification of this table look-up method for CV enforcement has the advantage that the control vector needed to process a cryptographic instruction is stored with the executable code that executes the instruction. The user of the cryptographic device does not need to include the control vector in the instruction when making a request for cryptographic services. The CV is selected by the instruction processor 96 based on the requested OP code 50 and other input parameters 52. In this way the interface to the cryptographic device is simplified. Moreover, the user is relieved of control vector control outside the cryptographic device.

[Brief description of the drawings]

FIG. 1 is a block diagram showing the main requirements of a cryptographic system.

FIG. 2 is a block diagram showing logical elements of a cryptographic device, wherein a control vector generating means and a key source means generate a control vector C and a cryptographic key K, respectively, based on input information given to the cryptographic device, Then, this control vector generation means performs one or more different modes of CV enforcement.

FIG. 3 is an expanded block diagram of control vector generation means and key source means for generating a plurality of control vector-cipher key pairs (C, K) from input information applied to a cryptographic device.

FIG. 4 is a diagram showing elements of a key source means and data flow therein, wherein the key source means generates a random key or selects a key from selected input information provided to a cryptographic device in a cryptographic service request. I'm getting along.

FIG. 5 is a diagram showing a group of control vectors to which selected input information given to a cryptographic device in a cryptographic service request is mapped by control vector generation means.

FIG. 6 shows a method of CV enforcement in which a control vector generating means calculates a table index using selected input information from a cryptographic service request, and this table index is stored in the cryptographic device. Of the control vector values stored in the control vector table of
FIG. 4 is a diagram showing a method of selecting and outputting one control vector from stored values.

FIG. 7 is a diagram showing another method of CV enforcement in which the control vector generating means dynamically generates the control vector using the input information selected from the cryptographic service request.

FIG. 8 shows an example of the CV generation method of FIG. 7 in combination with FIG. 9, in which the DATA COMPAT-INTERNAL control vector is an input operation given to the cryptographic device within the input information selected in the cryptographic service request. The figure of the 1st part showing what was made to generate based on a code and an operation mode parameter.

FIG. 9 is a second showing one CV generation method in combination with FIG.
Figure of the part.

FIG. 10 is a block diagram showing an example of the input information selected in the cryptographic service request by the control vector generation means receiving the input control vector;
The figure which shows the other method of CV enforcement which made a group of fields fixed (namely, overlay) to a predetermined value based on the input operation code added to a cryptographic device, and other input parameters.

11 shows an example of the CV field fixing method shown in FIG. 10 in combination with FIG. 12 and FIG.
FIG. 5 is a first part diagram showing a COMPAT-INTERNAL control vector generated from a skeleton of an input control vector containing a set of usage attributes for user-definable fields.

FIG. 12 is a second part view showing the CV field fixation method in combination with FIGS. 11 and 13;

FIG. 13 is a third part diagram showing the CV field fixation method in combination with FIGS. 11 and 12;

FIG. 14 is a CV enforcement CV in which one or more control vectors are internally derived from an input control vector applied to a cryptographic device within a cryptographic service request.
FIG. 16 shows another embodiment of the generating method in combination with FIG. 15, wherein the control vector associated with the right 64 bits of the 128-bit IMPORTER (key encryption) key is the 128 bits.
The figure of the 1st part which shows the example adapted to be taken out internally from the input control vector related to the right 64 bits of the IMPORTER key.

FIG. 15 is a second part diagram illustrating one CV generation method in combination with FIG. 14.

FIG. 16 illustrates one or more control vectors selected from a set of predetermined values stored in an instruction storage means that includes a corresponding set of executable code for each cryptographic instruction in the instruction repertoire of the cryptographic device. FIG. 6 is a diagram showing a modified example of the table indexing method for CV enforcement.

[Explanation of symbols]

100 Cryptographic system A 8 Application program (APPL) 6 Cryptographic device access program (CFAP) 4 Cryptographic device (CF) 10 Input channel 16 Output channel 18 Application programming interface (API) 20 Device access program interface (FA)
PI) 30 Information selection means 32 Control vector generation means 34 Key source means 36 Cryptographic conversion means 38 Working register 40 Output channel 44 Input channel 54 Random number generator 56 Key output selector

 ─────────────────────────────────────────────────── ─── Continuation of the front page (72) Inventor Anne, Buoy, Re, Virginia, Manassas, Battlefield, Drive, 10227 (72) Inventor Steven, M, Matoyas Manassas, Cedar, Ridge, Virginia, USA Drive, 10298 (72) Inventor Rothtislaw, Primac, Virginia, United States, Damfries, Fairway, Drive, 15900 (72) Inventor John, Dee, Wilkins United States Virginia, Somerville, Pee, Oh, Box, 8 (56) ) References JP-A-2-106787 (JP, A)

Claims (9)

(57) [Claims] 1. A cryptographic service for physically operating a cryptographic device that performs cryptographic operations using a cryptographic key, and an application program from the outside of the cryptographic device for the cryptographic device to operate with the cryptographic key. Request, the cryptographic key is associated with a control vector, each of the control vectors having a field of predefined values, the field being permitted by its originator to perform the associated cryptographic key. A device for performing a cryptographic operation in the cryptographic device in a data processing system adapted to define a function, and having an input end for receiving input information including a cryptographic service request, and responding to the cryptographic service request A control vector generating means inside the cryptographic device for generating a control vector inside the cryptographic device and giving the control vector to the output terminal thereof; No. has an input for receiving the input information including a service request, and generates a key value associated with the control vector within the encryption device in response to the cryptographic service request,
Key source means inside the cryptographic device for giving the key value to its output end, a first input end for receiving the input information, and a second input end for receiving the control vector and the key value, An apparatus for performing a cryptographic operation within a cryptographic device, comprising: a cryptographic conversion device within the cryptographic device for cryptographically converting the input information into output information using a control vector and the associated key value. 2. The control vector generation means outputs the control vector to the cryptographic conversion device via a means for storing the control vector and an output end of the control vector generation means in response to the cryptographic service request. An apparatus for performing cryptographic operations in a cryptographic apparatus according to claim 1, further comprising: 3. The control vector generation means stores a storage device having a table of control vectors accessible by an index value related to the cryptographic service request, and a control vector accessed from the storage device in the cryptographic service request. The device for performing a cryptographic operation in the cryptographic device according to claim 1, further comprising: a unit that outputs from the control vector generating unit to the cryptographic conversion device in response thereto. 4. The control vector generating means is an instruction including the control vector to be output to the cryptographic conversion device in response to the cryptographic service request, and the cryptographic conversion for executing the requested cryptographic service. An apparatus for performing cryptographic operations in a cryptographic apparatus according to claim 1, further comprising instruction storage means for storing instructions to be output to the apparatus. 5. The control vector generating means has an input end connected to the input end for receiving a cryptographic service request, and outputs the cryptographic service request to the cryptographic conversion device in response thereto. An apparatus for performing a cryptographic operation in a cryptographic apparatus according to claim 1, further comprising service request conversion means for converting into a vector. 6. The cryptographic service request has a first part having a field having a predetermined value and a second part having a field having a variable value, and the control vector generating means is provided with the first part and the first part. Two
An apparatus for performing a cryptographic operation in a cryptographic apparatus according to claim 1, wherein a control vector is formed from the parts and the control vector is output to the cryptographic conversion apparatus in response to the cryptographic service request. 7. The control vector generating means selects a control vector from a set of predefined control vectors,
The device for performing a cryptographic operation in the cryptographic device according to claim 1, wherein a selected control vector is given to the output end in response to the cryptographic service request. 8. A device for performing cryptographic operations in a cryptographic device according to claim 7, wherein said control vector generating means stores said set of predefined control vectors in a look-up table. 9. The cryptographic device according to claim 1, wherein the input information includes a value encrypted by a key formed by a logical combination of a master key and the control vector. apparatus.